LE WebServer ssl fail

Y

yaboc

Member
Nov 23, 2017
78
5
8
35
Hi,

I have 2 fspbx servers (1.9.0) in HA previously behind pangolin reverse proxy but to implement the new ssl for freeswitch i decided to move both servers on their own IP to make things easier. both servers have 80 and 443 open.

im able to access pbx1/2.domain.com fspbx web gui on port 80

I'm trying to run webserver ssl script but getting an error message where it can't find the challenge file/token on the server (getting 404 when i access the url)

there's no token in /var/www/fspbx/public/.well-known/acme-challenge

when i create test.txt file in /var/www/fspbx/public/.well-known/acme-challenge
and try to access with http://pbx1.domain.com/.well-known/acme-challenge/test.txt i'm getting 404 file not found

1782629956528.png

i checked dehydrated config

Code: 
cat /etc/dehydrated/config
BASEDIR=/etc/dehydrated
WELLKNOWN=/var/www/fspbx/public/.well-known/acme-challenge

Code: 
@pbx1:/var/www/fspbx# sudo php artisan app:install-lets-encrypt-certificate

 Enter the domain for SSL (e.g., us.domain.com):
 > pbx1.domain.com

Installing Dehydrated...

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Configuring Dehydrated...
Registering account and generating SSL certificate...
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]      "http-01"
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall/3480332836/72956/MLs"
["status"]      "invalid"
["validated"]   "2026-06-28T05:50:21Z"
["error","type"]        "urn:ietf:params:acme:error:unauthorized"
["error","detail"]      "xx.xx.xx.xx: Invalid response from http://pbx1.domain.com/.well-known/acme-challenge/lEfFvviXOMiBvXdmvxF6fvfjpP-kSWDGNbvjDo: 404"
["error","status"]      403
["error"]       {"type":"urn:ietf:params:acme:error:unauthorized","detail":"xx.xx.xx.xx: Invalid response from http://pbx1.domain.com/.well-known/acme-challenge/lEfFvviXOMiBvXdmvxF6fvfjpP-kSWDGNbvjDo: 404","status":403}
["token"]       "lEfFvviXOMiBvXdmvxF6fvfjpP-kSWDGNbvjDo"
["validationRecord",0,"url"]    "http://pbx1.domain.com/.well-known/acme-challenge/lEfFvviXOMiBvXdmvxF6fvfjpP-kSWDGNbvjDo"
["validationRecord",0,"hostname"]       "pbx1.domain.com"
["validationRecord",0,"port"]   "80"
["validationRecord",0,"addressesResolved",0]    "xx.xx.xx.xx"
["validationRecord",0,"addressesResolved"]      ["xx.xx.xx.xx"]
["validationRecord",0,"addressUsed"]    "xx.xx.xx.xx"
["validationRecord",0]  {"url":"http://pbx1.domain.com/.well-known/acme-challenge/lEfFvviXOMiBvXdmvxF6fvfjpP-kSWDGNbvjDo","hostname":"pbx1.domain.com","port":"80","addressesResolved":["xx.xx.xx.xx"],"addressUsed":"xx.xx.xx.xx"}
["validationRecord"]    [{"url":"http://pbx1.domain.com/.well-known/acme-challenge/lEfFvviXOMiBvXdmvxF6fvfjpP-kSWDGNbvjDo","hostname":"pbx1.domain.com","port":"80","addressesResolved":["xx.xx.xx.xx"],"addressUsed":"xx.xx.xx.xx"}])
Error: Certificate generation failed!

Also can i use *.domain.com that com for LE SSL script if i have 2 servers pbx1/2.domain.com but accessed with pbx.domain.com ? once i get the le script to work? is there a way to use dns challenge using the fspbx sudo php artisan app:install-lets-encrypt-certificate script?

thanks in advance!
 
Last edited:
The new Freeswitch TLS script took over this one and broke it. I just pushed a fix for it and tested it on one of my servers. Download updates and retry.

This script doesn't support a wildcard certificate. If you need a wildcard cert, your DNS service must support API. You will need to ask an AI to write a script for you or search this forum for suggestions. Wildcard certificate validation is not as simple as a single domain.
 
  • Like
Reactions: yaboc
pbxgeek said:
The new Freeswitch TLS script took over this one and broke it. I just pushed a fix for it and tested it on one of my servers. Download updates and retry.

This script doesn't support a wildcard certificate. If you need a wildcard cert, your DNS service must support API. You will need to ask an AI to write a script for you or search this forum for suggestions. Wildcard certificate validation is not as simple as a single domain.
Click to expand...
@pbxgeek

so i pulled and upgraded to the latest 1.9.3
but i'm still getting error and the acme challenge token is not found on the server

Code: 
Command failed: dehydrated -c. ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]     "http-01"
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall/3486/7296/Gnjw"
["status"]      "invalid"
["validated"]   "2026-06-28T16:36:39Z"
["error","type"]        "urn:ietf:params:acme:error:connection"
["error","detail"]      "During secondary validation: xx.xx.xx.xx: Fetching http://pbx1.domain.com/.well-known/acme-challenge/puQF2-Cz7NbCKlCb2otOEHZb9eTY7wvhUCnpIKvimxY: Timeout during connect (likely firewall problem)"
["error","status"]      400
["error"]       {"type":"urn:ietf:params:acme:error:connection","detail":"During secondary validation: xx.xx.xx.xx: Fetching http://pbx1.domain.com/.well-known/acme-challenge/puQF2-Cz7NbCKlCb2otOEHZb9eTY7wvhUCnpIKvimxY: Timeout during connect (likely firewall problem)","status":400}
["token"]       "puQF2-Cz7NbCKlCb2otOEHZb9eTY7Y"
["validationRecord",0,"url"]    "http://pbx1.domain.com/.well-known/acme-challenge/puQF2-Cz7NbCKlCb2otOEHZb9eTY7Y"
["validationRecord",0,"hostname"]       "pbx1.domain.com"
["validationRecord",0,"port"]   "80"
["validationRecord",0,"addressesResolved",0]    "xx.xx.xx.xx"
["validationRecord",0,"addressesResolved"]      ["xx.xx.xx.xx"]
["validationRecord",0,"addressUsed"]    "xx.xx.xx.xx"
["validationRecord",0]  {"url":"http://pbx1.domain.com/.well-known/acme-challenge/puQF2-Cz7NbCKlCb2otOEHZb9eTY7Y","hostname":"pbx1.domain.com","port":"80","addressesResolved":["xx.xx.xx.xx"],"addressUsed":"xx.xx.xx.xx"}
["validationRecord"]    [{"url":"http://pbx1.domain.com/.well-known/acme-challenge/puQF2-Cz7NbCKlCb2otOEHZb9eTY7Y","hostname":"pbx1.domain.com","port":"80","addressesResolved":["xx.xx.xx.xx"],"addressUsed":"xx.xx.xx.xx"}])

but i can now see manually created test.txt
when i create test.txt file in /var/www/fspbx/public/.well-known/acme-challenge
and try to access with http://pbx1.domain.com/.well-known/acme-challenge/test.txt it's there
 
Are you able to install the Freeswitch certificate? The directory is the same. I understand your problem, but it’s unusual. If you can read one file from that directory, you should be able to read others as well.

At this point, it’s challenging to determine the issue without examining your nginx configuration and running live logs. You might need to contact support for assistance.
 
You must log in or register to reply here.
Top Bottom